Due to my ISP forcing me to use their router if I want to use their bundled VOIP service, since upgrading to FTTP I now have to have my ASUS sitting behind my ISP's router. Annoyingly they don't allow their router to run in a bridged mode.
As much as I can I have tried to make it a native bridge mode, by turning off all WiFi radios and the firewall on the ISP router; turning off its DHCP server; connecting only the ASUS router to the ISP router via ethernet and assigning it a static IP; using a static IP for the ASUS WAN interface and the ISP router as its gateway; placing the ASUS router in the ISP router's DMZ; and also forwarding all TCP&UDP ports (1:65535) from the ISP router to the ASUS.
This seems to work fine. Despite technically being in a Double-NAT, it is functionally working as close as possible to a direct connection, and I can even access the ASUS' OpenVPN server when remote, all whilst being able to continue using the ISP's bundled VOIP.
However, I would like to only allow my own, one device, access to the ISP router's admin page, and none of my family's devices on the LAN. The ISP router is on the 192.168.1.0/24 subnet, whilst the LAN's subnet from the ASUS DHCP server is 192.168.5.0/24.
I'm sure there is a way of achieving this using the ASUS firewall, but I'm not sure of the best method. I was thinking to use the Firewall's Network Services Filter deny list from the GUI, with the ISP router's address as the destination, but then it seems I would have to enter every device that isn't my own. Is there a way of using the Deny List but using a not condition? e.g. Deny !192.168.5.52 -> 192.168.1.0/24 ? I'm, guessing the best thing would be to use a manual iptables rule entered in the cli, but I'm not sure of the best way of doing that on merlin. Any help would be appreciated.
As much as I can I have tried to make it a native bridge mode, by turning off all WiFi radios and the firewall on the ISP router; turning off its DHCP server; connecting only the ASUS router to the ISP router via ethernet and assigning it a static IP; using a static IP for the ASUS WAN interface and the ISP router as its gateway; placing the ASUS router in the ISP router's DMZ; and also forwarding all TCP&UDP ports (1:65535) from the ISP router to the ASUS.
This seems to work fine. Despite technically being in a Double-NAT, it is functionally working as close as possible to a direct connection, and I can even access the ASUS' OpenVPN server when remote, all whilst being able to continue using the ISP's bundled VOIP.
However, I would like to only allow my own, one device, access to the ISP router's admin page, and none of my family's devices on the LAN. The ISP router is on the 192.168.1.0/24 subnet, whilst the LAN's subnet from the ASUS DHCP server is 192.168.5.0/24.
I'm sure there is a way of achieving this using the ASUS firewall, but I'm not sure of the best method. I was thinking to use the Firewall's Network Services Filter deny list from the GUI, with the ISP router's address as the destination, but then it seems I would have to enter every device that isn't my own. Is there a way of using the Deny List but using a not condition? e.g. Deny !192.168.5.52 -> 192.168.1.0/24 ? I'm, guessing the best thing would be to use a manual iptables rule entered in the cli, but I'm not sure of the best way of doing that on merlin. Any help would be appreciated.
Last edited: